e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Return values */
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_service_info_next(struct tevent_req *req,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_service_info_done(struct tevent_req *subreq);
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_servicegroup_info_next(struct tevent_req *req,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_servicegroup_info_done(struct tevent_req *subreq);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_service_info_send(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_service_state);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher service_filter = talloc_asprintf(state, "(objectClass=%s)",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher state->attrs = talloc_array(state, const char *, 6);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Failed to allocate service attribute list.\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenystatic errno_t ipa_hbac_service_info_next(struct tevent_req *req,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny base = state->search_bases[state->search_base_iter];
92ec40e6aa25f75903ffdb166a8ec56b67bfd77dPavel Březina state->cur_filter = sdap_combine_filters(state, state->service_filter,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting service info\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny tevent_req_set_callback(subreq, ipa_hbac_service_info_done, req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_service_info_done(struct tevent_req *subreq)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tevent_req_callback_data(subreq, struct tevent_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tevent_req_data(req, struct ipa_hbac_service_state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sdap_get_generic_recv(subreq, state,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == ENOENT || state->service_count == 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* If there are no services, we'll shortcut out
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * This is still valid, as rules can apply to
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * all services
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * There's no reason to try to process groups
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = replace_attribute_name(IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not replace attribute names\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher servicegroup_filter = talloc_asprintf(state, "(objectClass=%s)",
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny ret = ipa_hbac_servicegroup_info_next(req, state);
71ad247500b417836a1a2edec257a4433a7c415fJan Zelenyipa_hbac_servicegroup_info_next(struct tevent_req *req,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny base = state->search_bases[state->search_base_iter];
92ec40e6aa25f75903ffdb166a8ec56b67bfd77dPavel Březina state->cur_filter = sdap_combine_filters(state, state->service_filter,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny /* Look up service groups */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting servicegroup info\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny tevent_req_set_callback(subreq, ipa_hbac_servicegroup_info_done, req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_servicegroup_info_done(struct tevent_req *subreq)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tevent_req_callback_data(subreq, struct tevent_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tevent_req_data(req, struct ipa_hbac_service_state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sdap_get_generic_recv(subreq, state,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny ret = replace_attribute_name(IPA_MEMBER, SYSDB_ORIG_MEMBER,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not replace attribute names\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny ret = replace_attribute_name(IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not replace attribute names\n");
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny total_count = state->servicegroup_count + group_count;
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny state->servicegroups = talloc_realloc(state, state->servicegroups,
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny while (state->servicegroup_count < total_count) {
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny target = &state->servicegroups[state->servicegroup_count];
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny *target = talloc_steal(state->servicegroups, groups[i]);
71ad247500b417836a1a2edec257a4433a7c415fJan Zeleny ret = ipa_hbac_servicegroup_info_next(req, state);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Error [%d][%s]\n", ret, strerror(ret));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagheripa_hbac_service_info_recv(struct tevent_req *req,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher tevent_req_data(req, struct ipa_hbac_service_state);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *services = talloc_steal(mem_ctx, state->services);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (c = 0; c < state->service_count; c++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Guarantee the memory heirarchy of the list */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_steal(state->services, state->services[c]);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *servicegroup_count = state->servicegroup_count;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *servicegroups = talloc_steal(mem_ctx, state->servicegroups);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Processing PAM services for rule [%s]\n", rule_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_services = talloc_zero(tmp_ctx, struct hbac_rule_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First check for service category */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_get_category(rule_attrs, IPA_SERVICE_CATEGORY,
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify service categories\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_services->category & HBAC_CATEGORY_ALL) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Short-cut to the exit */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the list of DNs from the member attr */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_SERVICE, &el);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret == ENOENT || el->num_values == 0) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "No services specified, rule will never apply.\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Assume maximum size; We'll trim it later */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_services->names = talloc_array(new_services,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_services->groups = talloc_array(new_services,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher filter = talloc_asprintf(member_dn, "(%s=%s)",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First check if this is a specific service */
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek ret = sysdb_search_custom(tmp_ctx, domain, filter,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Original DN matched multiple services. "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Skipping \n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Original DN matched a single service. Get the service name */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_services->names[num_services] == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Added service [%s] to rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else { /* ret == ENOENT */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Check if this is a service group */
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek ret = sysdb_search_custom(tmp_ctx, domain, filter,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Original DN matched multiple service groups. "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Skipping\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Original DN matched a single group. Get the groupname */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher talloc_strdup(new_services->groups, name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (new_services->groups[num_servicegroups] == NULL) {
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Added service group [%s] to rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher } else { /* ret == ENOENT */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Neither a service nor a service group? Skip it */
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "[%s] does not map to either a service or "
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_services->groups[num_servicegroups] = NULL;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Shrink the arrays down to their real sizes */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_services->names = talloc_realloc(new_services, new_services->names,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_services->groups = talloc_realloc(new_services, new_services->groups,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *services = talloc_steal(mem_ctx, new_services);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagherget_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* This is an IPA-specific hack. It may not
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * work for non-IPA servers and will need to
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * be changed if SSSD ever supports HBAC on
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a non-IPA server.
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), service_dn);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* RDN, services, hbac, and at least one DC= */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* If it's fewer, it's not a group DN */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* If the RDN name is 'cn' */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Shouldn't happen if ldb_dn_validate()
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * passed, but we'll be careful.
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* RDN has the wrong attribute name.
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * It's not a service.
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* and the second component is "cn=hbacservicegroups" */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc_comp_name = ldb_dn_get_component_name(dn, 1);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (strcasecmp("cn", svc_comp_name) != 0) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* The second component name is not "cn" */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc_comp_val = ldb_dn_get_component_val(dn, 1);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* The second component value is not "hbacservicegroups" */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* and the third component is "hbac" */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher hbac_comp_name = ldb_dn_get_component_name(dn, 2);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (strcasecmp("cn", hbac_comp_name) != 0) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* The third component name is not "cn" */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher hbac_comp_val = ldb_dn_get_component_val(dn, 2);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* The third component value is not "hbac" */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Then the value of the RDN is the group name */